4 4/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Difficulty : there are potential powerful attackers! Presence of an attacker may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,

5 5/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App

6 Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App 5/37 A flaw discovered in 2010, now fixed (Avantssar project) Step 1 An attacker offers an interesting or funny (but malicious) new Google App Step 2 Some clients register to this malicious Application Step 3 The attacker can now access all the other applications of the client, including e.g. Gmail or Google Calendar.

7 /37 Designing protocols is error prone Software testing leaves flaws : Flaw in the authentication protocol used in Google Apps Attack on pay-per-view devices Man-in-the-middle attack These flaws rely on the design of the protocols Not on a bad implementation (bugs) Not on weaknesses of the primitives (e.g. encryption, signatures) Not on generic hacking techniques (e.g. worms, code injection)

9 8/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Example : Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy. Electronic voting promises Convenient, efficient and secure facility for recording and tallying votes for a variety of types of elections : from small committees or on-line communities through to full-scale national elections Already used e.g. in Estonia, Norway, USA, France (from abroad).

10 9/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Two main families for e-voting Voting machines Voters have to attend a voting station External authentication system (e.g. ID card) Internet voting Voters vote from home from their own computers Systems in use : Civitas (A. Myers et al), Helios,...

12 11/37 Helios : a voting protocol for low-coercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection.

13 Helios : a voting protocol for low-coercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. 1/37 Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection. Suitable for medium issue elections : professional elections scientific councils, students representatives, etc. union representatives Should be compared with previous voting systems in use : e.g. attack (ballot stuffing) on the 2011 paper ballots (with barcodes) CNRS election

28 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,

29 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages, Attackers in applied pi-calculus A protocol P satisfies some property φ if for all process A A P = φ

30 18/37 Examples of security properties Secrecy of s If A P Q then Q out(s) Q For any attacker A and reachable process Q, the secret s remains unknown. Authentication/Agreement If A P Q then Q = Received(B,N a ) Sent(A,N a ) For any attacker A, if B receives a nonce believing it is from A then A must have sent it. Most properties can be expressed as accessibility properties

31 19/37 What is a secure voting protocol?

32 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote.

33 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. But everyone knows 0 and 1!

34 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity.

35 0/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. But everyone can form Alice,0 and Alice,1!

36 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n)

37 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) The attacker always sees the difference since the tally differs. Unanimity does break privacy.

41 23/37 How does ProVerif work? Developed by Bruno Blanchet, ENS Paris, France. Implements a sound semi-decision procedure (that may not terminate). The applied pi-calculus is translated into first-order logic, more precisely into Horn clauses. Based on a resolution strategy well adapted to protocols.

49 27/37 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate.

50 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. 27/37 If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate. Performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) Can handle various cryptographic primitives (various encryption, signatures, blind signatures, hash, etc.)

54 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique?

55 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique? Side channel attacks Representing messages by a term algebra abstracts away many mathematical properties.

58 31/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial).

59 1/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known.

60 31/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. Indistinguishability : the adversary should not learn a bit of the secret. Pr[A P(n 0 ) 1] Pr[A P(n 1 ) 1] is negligible

Analysis of an Electronic Boardroom Voting System Mathilde Arnaud Véronique Cortier Cyrille Wiedling VoteID 13 July 18th 2013 The Family of Electronic Voting The Family of Electronic Voting Voting Machines

E-Democracy and e-voting How to make them secure and transparent August 2013 Jordi Puiggali CSO and SVP R&D Jordi.puiggali@scytl.com Index Introduction e-democracy Security and Transparency in e-voting

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for short-range wireless communications.

New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles. Introduction. Since 2001 T-Systems made research on secure online voting systems

A New Receipt-Free E-Voting Scheme Based on Blind Signature (Abstract) Zhe Xia University of Surrey z.xia@surrey.ac.uk Steve Schneider University of Surrey s.schneider@surrey.ac.uk May 25, 2006 Abstract

Security Protocols: Principles and Calculi Tutorial Notes Martín Abadi Microsoft Research and University of California, Santa Cruz Abstract. This paper is a basic introduction to some of the main themes

Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two

SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography

anonymous secure decentralized SMS stealthtext transactions WHITEPAPER STATE OF THE ART 2/8 WHAT IS STEALTHTEXT? stealthtext is a way to send stealthcoin privately and securely using SMS texting. stealthtext

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential

Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

Analysis of a Biometric Authentication Protocol for Signature Creation Application A. Salaiwarakul and M.D.Ryan School of Computer Science, University of Birmingham, UK {A.Salaiwarakul, M.D.Ryan}@cs.bham.ac.uk

A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication

Computer and Network Security Alberto Marchetti Spaccamela Slides are strongly based on material by Amos Fiat Good crypto courses on the Web with interesting material on web site of: Ron Rivest, MIT Dan